Test filters using fail2ban

Whenever you add or change a filter you will want to test that the regular expressions are correct by running it over an existing logfile.

The tool for doing this is fail2ban-regex which is used as follows:

fail2ban-regex /var/log/fail2ban.log /etc/fail2ban/filter.d/fail2ban-smtp.conf

The first argument is the logfile to be scanned and the second argument the jail configuration file containing failregex.

The output lists first all the regular expressions that are being used followed by a tally of how many matches there are for each one. This should match what you can find manually in the logfile using grep or awk. Finally, a list of the ‘caught’ IP addresses is displayed.

Generating Simple Reports

All of the following commands can be run at the command-line or via a script. They are written for Linux/UNIX systems but may work on other platforms.
Grouping by IP address:

awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n

Reporting on ‘today’s activity:

Here’s a report I find useful to run before midnight each day to generate a summary of the day’s activity:

grep "Ban " /var/log/fail2ban.log | grep `date +%Y-%m-%d` | awk '{print $NF}' | sort | awk '{print $1,"("$1")"}' | logresolve | uniq -c | sort -n

The output will be the same as the second report above, but limited to just today’s activity rather than the whole logfile.
Grouping by Date and Fail2Ban section

This report scans all fail2ban logfiles and gives you a summary of how many ban events there were for each section on each day:

zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print $5,$1}' | sort | uniq -c

This can give you an idea of longer-term trends and the effectiveness of your firewall rules. This method of examining all logfiles rather than just the current one can also be applied to most of the reports above.